I'm the maintainer of a *very* popular open-source PHP package - PHPMailer. In December 2016, two critical remote code execution vulnerabilities were found in PHPMailer, affecting potentially tens of millions of sites. There's a lot that goes on behind a CVE number - I'd been involved in reporting some minor security issues in the past, but nothing of this magnitude, and never at the receiving end, so I found myself at the start of a steep learning curve and an emotional roller-coaster. This is the story of how I ended up as the maintainer of a major open-source project, dealing with the project, vulnerabilities, contributions, donations and more.
I gave this talk at ConFoo Montreal 2018, though I have also given it at the Dutch PHP conference 2017 and PHP Benelux 2018, where it was very well received: